Thanks Jon for sending this one in. Taken from a post bugtraq by Tom Micklovitch (dated Feb 8th):
Exploit:
Register an account for MSN messenger, make some contact email addresses, leave the account for 31 days. On a different machine (to ensure there's no cache), go to the sign up section of MSN messenger, sign up again, using the same screen name. You'll be able to see the previous user's contact list.
None of the contacts will have been alerted to the fact that the new username actully belong to an entirely different person, so they'll still be sending messages, and if the new user is a haxor, (s)he'll be replying just as if (s)he's the original user.
I alerted Microsoft on monday, and have received no reply. so there. :)
News source: MSN Contact List Disclosure - Security Focus